Medium severity6.6NVD Advisory· Published May 17, 2024· Updated Apr 15, 2026
CVE-2024-5042
CVE-2024-5042
Description
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/submariner-io/submariner-operatorGo | >= 0.16.0-m0, < 0.16.4 | 0.16.4 |
github.com/submariner-io/submariner-operatorGo | >= 0.17.0-m0, < 0.17.2 | 0.17.2 |
github.com/submariner-io/submariner-operatorGo | < 0.15.4 | 0.15.4 |
github.com/submariner-io/submariner-operatorGo | >= 0.18.0-m0, < 0.18.0-rc0 | 0.18.0-rc0 |
Patches
1b27a04c4270eRestrict operator ClusterRole*, ServiceAccount permissions
5 files changed · +40 −13
config/rbac/submariner-operator/cluster_role.yaml+3 −0 modified@@ -76,5 +76,8 @@ rules: # Temporarily needed for network-plugin syncer removal - clusterroles - clusterrolebindings + resourceNames: + - ocp-submariner-networkplugin-syncer + - submariner-networkplugin-syncer verbs: - delete
config/rbac/submariner-operator/role.yaml+2 −0 modified@@ -19,6 +19,8 @@ rules: resources: # Temporarily needed for network-plugin syncer removal - serviceaccounts + resourceNames: + - submariner-networkplugin-syncer verbs: - delete - apiGroups:
controllers/submariner/migration_test.go+24 −0 modified@@ -55,12 +55,24 @@ var _ = Describe("Migration tests", func() { Name: submariner.NetworkPluginSyncerComponent, }, }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: t.Namespace, + Name: "ocp-submariner-networkplugin-syncer", + }, + }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Namespace: t.Namespace, Name: submariner.NetworkPluginSyncerComponent, }, }, + &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: t.Namespace, + Name: "ocp-submariner-networkplugin-syncer", + }, + }, &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Namespace: t.Namespace, @@ -83,6 +95,18 @@ var _ = Describe("Migration tests", func() { }, }) + t.AssertNoResource(&rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ocp-submariner-networkplugin-syncer", + }, + }) + + t.AssertNoResource(&rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ocp-submariner-networkplugin-syncer", + }, + }) + t.AssertNoResource(&corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: submariner.NetworkPluginSyncerComponent,
controllers/submariner/np_syncer_resources.go+6 −13 modified@@ -43,7 +43,6 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in deleteAll := func(objs ...client.Object) error { for _, obj := range objs { - obj.SetName(NetworkPluginSyncerComponent) obj.SetNamespace(instance.Namespace) err := r.config.ScopedClient.Delete(ctx, obj) @@ -59,38 +58,32 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in return deleteAll( &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: "ocp-submariner-networkplugin-syncer", + Name: "ocp-submariner-networkplugin-syncer", }, }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: "ocp-submariner-networkplugin-syncer", + Name: "ocp-submariner-networkplugin-syncer", }, }, &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, )
pkg/embeddedyamls/yamls.go+5 −0 modified@@ -2519,6 +2519,8 @@ rules: resources: # Temporarily needed for network-plugin syncer removal - serviceaccounts + resourceNames: + - submariner-networkplugin-syncer verbs: - delete - apiGroups: @@ -2666,6 +2668,9 @@ rules: # Temporarily needed for network-plugin syncer removal - clusterroles - clusterrolebindings + resourceNames: + - ocp-submariner-networkplugin-syncer + - submariner-networkplugin-syncer verbs: - delete `
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-2rhx-qhxp-5jpwnvdADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-5042ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:4591nvdWEB
- access.redhat.com/errata/RHSA-2026:6503nvdWEB
- access.redhat.com/security/cve/CVE-2024-5042nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/submariner-io/submariner-operator/commit/b27a04c4270e53cbff6ff8ac6245db10c204bcabghsaWEB
- github.com/submariner-io/submariner-operator/issues/3041ghsaWEB
- github.com/submariner-io/submariner-operator/pull/3040ghsaWEB
- github.com/submariner-io/submariner-operator/pull/3045ghsaWEB
- github.com/submariner-io/submariner-operator/pull/3046ghsaWEB
- github.com/submariner-io/submariner-operator/pull/3049ghsaWEB
News mentions
0No linked articles in our index yet.